password_hacking

Milagli / Shutterstock

Security


Apple said Monday it was “actively investigating” the violation of several of its iCloud accounts in which revealing photos and videos of prominent Hollywood actresses were taken and posted all over the Web.

“We take user privacy very seriously and are actively investigating this report,” said Apple spokeswoman Natalie Kerris.

Photos — some real, some possibly fakes — are said to have been taken from the iCloud accounts of several celebrities, such as actress Jennifer Lawrence. They were posted to the Web image-sharing community 4chan and have since spread across the Web, showing up on social media sites like Twitter, Reddit and elsewhere.

Security experts said the hacking and theft of revealing pictures from the Apple iCloud accounts of a few celebrities might have been prevented if those affected had enabled two-factor authentication on their accounts.

Apple hasn’t yet said anything definitive about how the attacks were carried out, but researchers at the security firm FireEye examined the available evidence and said it appears to have been a fairly straightforward attack that could have been thwarted.

Apple calls the additional step usually known as two-factor authentication “two-step verification,” although it doesn’t work very hard to tell people about it, said Darien Kindlund, director of threat research at Mandiant FireEye.

“In general, Apple has been a little late to the game in offering this kind of protection, and doesn’t advertise it,” he said. “You have to dig through the support articles to find it.”

When enabled, two-factor authentication requires users to enter a numerical code that is sent to their phone or another device, in addition to using their regular password. Since the number constantly changes, it makes it much more difficult for attackers to gain access to the account, even if they know the password.

Assuming the compromised accounts were running without the two-step option turned on, it would have been relatively easy for the attacker to gain access to the accounts.

As The Next Web reported earlier today, the attack may be linked to software on GitHub called iBrute that is capable of carrying out automated brute-force attacks against iCloud accounts. In this scenario, an attacker simply guesses a password again and again until he or she succeeds. While tedious and time-consuming for a person, it’s a simple and infinitely faster process for a computer.

The as-yet-unknown attacker had one other advantage: Apple allows an unlimited number of password guesses. Normally, systems limit the number of times someone can try to log in to a system with an incorrect password before the account is locked down entirely. Apple has since fixed that aspect of the vulnerability.

“The attackers never should have been allowed to make an unlimited number of guesses,” Kindlund said.

And while there’s no direct evidence tying the program to the attack, the timing of the incident appears to coincide with a talk given by security researchers on the subject of security on iCloud. See the slides here.

The iBrute program was created by security researchers in Russia as a proof of concept and demonstrated as part of a talk at a security conference in St. Petersburg earlier this month.

It’s not the first time that this sort of thing has happened, nor will it be the last. Back in 2005, socialite Paris Hilton was the target of a hacking attack in which pictures and text messages from her Sidekick smartphone were pilfered from a cloud storage account. A group of young men were prosecuted over that incident and another attack against the database giant LexisNexis, and most of them served time in federal prison or juvenile detention.

Update: I corrected Kindlund’s association as being with FireEye, not its Mandiant unit.



15 comments
E. Ellappa
E. Ellappa

I don't care if they are famous or not. It sucks for them. That said, if you are going to take naked pictures of yourself, cool. More power to you. Understand the consequences and don't upload them to the cloud. 

Secure Channels
Secure Channels

Daily data breaches are now a daily occurrence and have reached epidemic proportions. The celeb photo hack through iCloud is just another example and has further exposed the current in-place failings of protecting your data. It is abundantly clear, that protecting your data with perimeter defenses is insufficient. Furthermore, the reality is that your data is going to get stolen and maintaining and one of the key protections that should be a mandatory function of the digital life, is to encrypt your most sensitive data with absolute certainty, leaving the thief with only useless bit and bytes. If you are going to let your private or sensitive data be held by others (including your own device), then you need to elevate the level of security to protect said data. Unhackable encryption is a certain way to render compromised data useless, which should be combined with elevated means of authentication. Laziness with passwords is akin to leaving the front door of your home with all of your valuables unlocked. If the data you are protecting is an apple pie recipe, then there is no need to elevate the level of security to these heights. But if you are protecting your financial, medical and other private data, the now regular daily breaches is dictating that we need to protect our data to fullest extent.

Cintos
Cintos

The image I saw of Kate Upton was most assuredly photoshopped. It was one of Sports Illustrated "painted swimsuit" shots of her. It was not hard to "expose" her bottom, as it was already naked under a little paint. They did not bother removing her "top", as her nipples were already visible through the body paint.

Many of the purported iCloud hacked photos show they were taken with Android and Blackberry phones - not likely stored in iCloud, but more likely from another cloud service that does not hold the media interest that Apple attracts.

Scott Goldman, CEO - TextPower
Scott Goldman, CEO - TextPower

There are a few important things to remember here:


1. There's no definitive proof that this was, in fact, a hack of iCloud or any other Apple service.  You certainly wouldn't want to be convicted of a crime without proof so why would you simply assume that iCloud is at fault?


2. There are security measures that are available to users that most simply don't take advantage of.  Authentication, of course, is the most obvious method, although hardly anyone makes the effort to implement it or use it.  


3. Authentication should be done "OOB" (out of band) meaning that if Apple is the provider Apple shouldn't be doing the authentication (as they currently do).  They should be contracting with someone else that handles the authentication separately and thus is less likely to be exposed or vulnerable in the same hack.  


While hacks like this are nefarious and despicable anyone that posts photos, personal data, account numbers or anything else anywhere on line is at risk.  Lowering your risk through the use of whatever authentication methods are available (i.e., two-factor, multi-factor or omni-factor authentication) is essential.  Not doing so is like leaving the front door to your house open and nailing a "Rob Me!" sign to it. 

DP
DP

Apple needs to do a better job educating folks on what iCloud does and how one should use iCloud.  It is a pretty broad service and product offering that play such a key part in using iOS and OSX devices yet very few seem to really understand it.  


Recently, I went to a local Apple Store and the guy at the genius bar rolled his eyes and said "Seriously, I can't really explain it all either.  It really is confusing so I can understand why so many folks have questions."

Tim Acheson
Tim Acheson

This meaningless statement from Apple is clearly designed to plant seeds of doubt about Apple being at fault, by implying based on no evidence whatsoever that Apple platforms and devices may not be to blame. It is a transparent attempt to deflect blame and discussion of the issue away from iCloud, loyally reported by the corporate tech media without question.


Indeed, the fact that Apple remains silent about the nature and scale of these breaches very strongly indicates that the corporation is at fault and knows it, because if if they could point the finger of blame elsewhere they obviously would not hesitate to do so -- immediately and loudly.


Apple should already know what caused this breach of iCloud security and unauthorised access to iCloud data. If they truly still do not know, that would indicate further negligence and/or incompetence.

JediKnight
JediKnight

From year to date my Bank Credit Card was compromised 4 times, my GF was compromised 7 times. I use Chase and she used Bank of America. The last time it is was compromised was last week. Luckily chase noticed suspicious activity and contacted me. If Apple releases a way to pay through phone, I think the same will happen. Hackers will continue to find a way in. It's like running up a hill with ice. Eventually you will figure it out if you are determined enough to reach the top.

Neil Anderson
Neil Anderson

@wakeupz "As a side note, let's all trust our credit cards with Apple now!"


Ever ponder why this hack surfaced now?

FedUp
FedUp

Apple's two factor authentication does not work with all cell providers. They must be using short codes as some providers block those SMS codes. Seems Apple did not learn anything from the Mat Honan fiasco from several years ago

wakeupz
wakeupz

"her Sidekick smart phone" I stopped reading there...nah just kidding I finished reading, there was only a sentence left.


As a sidenote, lets all trust our credit cards with apple now!

Ronny2
Ronny2

@Scott Goldman, CEO - TextPower "Not doing so is like leaving the front door to your house open and nailing a 'Rob Me!' sign to it."


True, but from a practical standpoint, how do you get users to adopt these practices? I've read several articles listing recommendations for avoiding these hacks; but then I think about the average end-user and wonder how many of them (1) are going to read these suggestions and (2) have the technological savvy to implement them.


I know, people need to take responsibility to safeguard their own data, but the fact is that they won't. Like it or not, that puts even more of a burden on providers to build these security recommendations into their own services and software. For instance, don't just offer two-factor authentication--require it. Don't just recommend strong passwords--require it. If you are one of the tech leaders, you can afford to do these things without losing market share. By doing so, they become industry standards, and even low-info users gets accustomed to the new way of doing security.

JohnR
JohnR

@JediKnight There's no such thing as 100% secure anything.   Either you just stash all cash under your mattress or you have to accept the very remote possibility that you'll get hacked.

JohnR
JohnR

@Neil Anderson @wakeupz "hack" is alleged.   There's no proof it was a iCloud hack.   Maybe individual password hack, but you can't prevent that ever.

Steven Klein
Steven Klein

@FedUp So why use SMS when Apple doesn't require it? Apple's two-factor authentication allows for SMS (if you want it), but as their website notes, "You can also verify your identity using any device that has Find My iPhone, iPad, iPod touch enabled with your Apple ID."


That notification is sent as data to any iOS device you own, completely bypassing your carrier's SMS system.

JohnR
JohnR

@wakeupz You seem to conveniently forget that Apple ALREADY has your credit cards(assuming you have iTunes account).   I have not seen one case of some system wide security breach with the credit cards ever since iTunes has been in existence.   

Follow

Get every new post delivered to your Inbox.

Join 309,287 other followers